From ae913ab6275ff746439a2d99f8a1550ec2e511ff Mon Sep 17 00:00:00 2001 From: Robin Haberkorn Date: Sat, 5 Jun 2021 17:43:58 +0200 Subject: teco_memory_check() now checks for addition overflows and negative searches () for multiplication overflows * Since the numbers come from "outside" (SciTECO scripts) this is easily possible, resulting either in missed checks or even memory corruption. * In particular, this fixes the "Searching with large counts" test case on 32-bit builds. Perhaps at least one CI build should be 32-bit? --- src/memory.c | 10 +++++++++- src/search.c | 9 +++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/memory.c b/src/memory.c index 9846753..2d93b12 100644 --- a/src/memory.c +++ b/src/memory.c @@ -678,7 +678,15 @@ teco_memory_check(gsize request, GError **error) { gsize memory_usage = g_atomic_int_get(&teco_memory_usage) + request; - if (G_UNLIKELY(teco_memory_limit && memory_usage > teco_memory_limit)) { + /* + * Check for overflows. + * NOTE: Glib 2.48 has g_size_checked_add(). + */ + if (G_UNLIKELY(memory_usage < request)) + /* guaranteed to fail if memory limiting is enabled */ + memory_usage = G_MAXSIZE; + + if (G_UNLIKELY(teco_memory_limit && memory_usage >= teco_memory_limit)) { g_autofree gchar *limit_str = g_format_size(memory_usage); g_set_error(error, TECO_ERROR, TECO_ERROR_MEMLIMIT, diff --git a/src/search.c b/src/search.c index 4c324a6..3ccecde 100644 --- a/src/search.c +++ b/src/search.c @@ -495,6 +495,15 @@ teco_do_search(GRegex *re, gint from, gint to, gint *count, GError **error) gsize matched_size = sizeof(teco_range_t) * -*count; + /* + * matched_size could overflow. + * NOTE: Glib 2.48 has g_size_checked_mul() which uses + * compiler intrinsics. + */ + if (matched_size / sizeof(teco_range_t) != -*count) + /* guaranteed to fail either teco_memory_check() or g_malloc() */ + matched_size = G_MAXSIZE; + /* * NOTE: It's theoretically possible that the allocation of the `matched` * array causes an OOM if (-count) is large enough and regular -- cgit v1.2.3